Method Detail

setEndpoint

Overrides the default endpoint for this client ("https://ec2.us-east-1.amazonaws.com"). Callers can use this
method to control which AWS region they want to work with.

Callers can pass in just the endpoint (ex: "ec2.us-east-1.amazonaws.com") or a full URL, including the protocol
(ex: "https://ec2.us-east-1.amazonaws.com"). If the protocol is not specified here, the default protocol from
this client's ClientConfiguration will be used, which by default is HTTPS.

This method is not threadsafe. An endpoint should be configured when the client is created and before any
service requests are made. Changing it afterwards creates inevitable race conditions for any service requests in
transit or retrying.

endpoint - The endpoint (ex: "ec2.us-east-1.amazonaws.com") or a full URL, including the protocol (ex:
"https://ec2.us-east-1.amazonaws.com") of the region specific AWS endpoint this client will communicate
with.

setRegion

An alternative to AmazonEC2.setEndpoint(String), sets the regional endpoint for this client's service
calls. Callers can use this method to control which AWS region they want to work with.

By default, all service endpoints in all regions use the https protocol. To use http instead, specify it in the
ClientConfiguration supplied at construction.

This method is not threadsafe. A region should be configured when the client is created and before any service
requests are made. Changing it afterwards creates inevitable race conditions for any service requests in transit
or retrying.

acceptVpcPeeringConnection

Accept a VPC peering connection request. To accept a request, the VPC peering connection must be in the
pending-acceptance state, and you must be the owner of the peer VPC. Use
DescribeVpcPeeringConnections to view your outstanding VPC peering connection requests.

For an inter-Region VPC peering connection request, you must accept the VPC peering connection in the Region of
the accepter VPC.

advertiseByoipCidr

Advertises an IPv4 address range that is provisioned for use with your AWS resources through bring your own IP
addresses (BYOIP).

You can perform this operation at most once every 10 seconds, even if you specify different address ranges each
time.

We recommend that you stop advertising the BYOIP CIDR from other locations when you advertise it from AWS. To
minimize down time, you can configure your AWS resources to use an address from a BYOIP CIDR before it is
advertised, and then simultaneously stop advertising it from the current location and start advertising it
through AWS.

It can take a few minutes before traffic to the specified addresses starts routing to AWS because of BGP
propagation delays.

allocateAddress

Allocates an Elastic IP address to your AWS account. After you allocate the Elastic IP address you can associate
it with an instance or network interface. After you release an Elastic IP address, it is released to the IP
address pool and can be allocated to a different AWS account.

You can allocate an Elastic IP address from an address pool owned by AWS or from an address pool created from a
public IPv4 address range that you have brought to AWS for use with your AWS resources using bring your own IP
addresses (BYOIP). For more information, see Bring Your Own IP Addresses (BYOIP)
in the Amazon Elastic Compute Cloud User Guide.

[EC2-VPC] If you release an Elastic IP address, you might be able to recover it. You cannot recover an Elastic IP
address that you released after it is allocated to another AWS account. You cannot recover an Elastic IP address
for EC2-Classic. To attempt to recover an Elastic IP address that you released, specify it in this operation.

An Elastic IP address is for use either in the EC2-Classic platform or in a VPC. By default, you can allocate 5
Elastic IP addresses for EC2-Classic per Region and 5 Elastic IP addresses for EC2-VPC per Region.

assignIpv6Addresses

Assigns one or more IPv6 addresses to the specified network interface. You can specify one or more specific IPv6
addresses, or you can specify the number of IPv6 addresses to be automatically assigned from within the subnet's
IPv6 CIDR block range. You can assign as many IPv6 addresses to a network interface as you can assign private
IPv4 addresses, and the limit varies per instance type. For information, see IP Addresses Per
Network Interface Per Instance Type in the Amazon Elastic Compute Cloud User Guide.

assignPrivateIpAddresses

Assigns one or more secondary private IP addresses to the specified network interface.

You can specify one or more specific secondary IP addresses, or you can specify the number of secondary IP
addresses to be automatically assigned within the subnet's CIDR block range. The number of secondary IP addresses
that you can assign to an instance varies by instance type. For information about instance types, see Instance Types in the
Amazon Elastic Compute Cloud User Guide. For more information about Elastic IP addresses, see Elastic IP Addresses
in the Amazon Elastic Compute Cloud User Guide.

When you move a secondary private IP address to another network interface, any Elastic IP address that is
associated with the IP address is also moved.

Remapping an IP address is an asynchronous operation. When you move an IP address from one network interface to
another, check network/interfaces/macs/mac/local-ipv4s in the instance metadata to confirm that the
remapping is complete.

associateAddress

Associates an Elastic IP address with an instance or a network interface. Before you can use an Elastic IP
address, you must allocate it to your account.

An Elastic IP address is for use in either the EC2-Classic platform or in a VPC. For more information, see Elastic IP Addresses
in the Amazon Elastic Compute Cloud User Guide.

[EC2-Classic, VPC in an EC2-VPC-only account] If the Elastic IP address is already associated with a different
instance, it is disassociated from that instance and associated with the specified instance. If you associate an
Elastic IP address with an instance that has an existing Elastic IP address, the existing address is
disassociated from the instance, but remains allocated to your account.

[VPC in an EC2-Classic account] If you don't specify a private IP address, the Elastic IP address is associated
with the primary IP address. If the Elastic IP address is already associated with a different instance or a
network interface, you get an error unless you allow reassociation. You cannot associate an Elastic IP address
with an instance or network interface that has an existing Elastic IP address.

This is an idempotent operation. If you perform the operation more than once, Amazon EC2 doesn't return an error,
and you may be charged for each time the Elastic IP address is remapped to the same instance. For more
information, see the Elastic IP Addresses section of Amazon
EC2 Pricing.

associateClientVpnTargetNetwork

Associates a target network with a Client VPN endpoint. A target network is a subnet in a VPC. You can associate
multiple subnets from the same VPC with a Client VPN endpoint. You can associate only one subnet in each
Availability Zone. We recommend that you associate at least two subnets to provide Availability Zone redundancy.

associateDhcpOptions

Associates a set of DHCP options (that you've previously created) with the specified VPC, or associates no DHCP
options with the VPC.

After you associate the options with the VPC, any existing instances and all new instances that you launch in
that VPC use the options. You don't need to restart or relaunch the instances. They automatically pick up the
changes within a few hours, depending on how frequently the instance renews its DHCP lease. You can explicitly
renew the lease using the operating system on the instance.

For more information, see DHCP Options Sets in the
Amazon Virtual Private Cloud User Guide.

associateRouteTable

Associates a subnet with a route table. The subnet and route table must be in the same VPC. This association
causes traffic originating from the subnet to be routed according to the routes in the route table. The action
returns an association ID, which you need in order to disassociate the route table from the subnet later. A route
table can be associated with multiple subnets.

For more information, see Route Tables in the
Amazon Virtual Private Cloud User Guide.

attachClassicLinkVpc

Links an EC2-Classic instance to a ClassicLink-enabled VPC through one or more of the VPC's security groups. You
cannot link an EC2-Classic instance to more than one VPC at a time. You can only link an instance that's in the
running state. An instance is automatically unlinked from a VPC when it's stopped - you can link it
to the VPC again when you restart it.

After you've linked an instance, you cannot change the VPC security groups that are associated with it. To change
the security groups, you must first unlink the instance, and then link it again.

Linking your instance to a VPC is sometimes referred to as attaching your instance.

attachInternetGateway

Attaches an internet gateway to a VPC, enabling connectivity between the internet and the VPC. For more
information about your VPC and internet gateway, see the Amazon Virtual Private Cloud User Guide.

authorizeSecurityGroupEgress

[VPC only] Adds the specified egress rules to a security group for use with a VPC.

An outbound rule permits instances to send traffic to the specified destination IPv4 or IPv6 CIDR address ranges,
or to the specified destination security groups for the same VPC.

You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the
destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use
-1 for the type or code to mean all types or all codes.

Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.

An inbound rule permits instances to receive traffic from the specified destination IPv4 or IPv6 CIDR address
ranges, or from the specified destination security groups.

You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify the destination
port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean
all types or all codes.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay
might occur.

cancelCapacityReservation

Cancels the specified Capacity Reservation, releases the reserved capacity, and changes the Capacity
Reservation's state to cancelled.

Instances running in the reserved capacity continue running until you stop them. Stopped instances that target
the Capacity Reservation can no longer launch. Modify these instances to either target a different Capacity
Reservation, launch On-Demand Instance capacity, or run in any open Capacity Reservation that has matching
attributes and sufficient capacity.

cancelConversionTask

Cancels an active conversion task. The task can be the import of an instance or volume. The action removes all
artifacts of the conversion, including a partially uploaded volume or instance. If the conversion is complete or
is in the process of transferring the final disk image, the command fails and returns an exception.

cancelExportTask

Cancels an active export task. The request removes all artifacts of the export, including any partially-created
Amazon S3 objects. If the export task is complete or is in the process of transferring the final disk image, the
command fails and returns an error.

cancelSpotFleetRequests

After you cancel a Spot Fleet request, the Spot Fleet launches no new Spot Instances. You must specify whether
the Spot Fleet should also terminate its Spot Instances. If you terminate the instances, the Spot Fleet request
enters the cancelled_terminating state. Otherwise, the Spot Fleet request enters the
cancelled_running state and the instances continue to run until they are interrupted or you
terminate them manually.

confirmProductInstance

Determines whether a product code is associated with an instance. This action can only be used by the owner of
the product code. It is useful when a product code owner must verify whether another user's instance is eligible
for support.

copyImage

Initiates the copy of an AMI from the specified source Region to the current Region. You specify the destination
Region by using its endpoint when making the request.

Copies of encrypted backing snapshots for the AMI are encrypted. Copies of unencrypted backing snapshots remain
unencrypted, unless you set Encrypted during the copy operation. You cannot create an unencrypted
copy of an encrypted backing snapshot.

For more information about the prerequisites and limits when copying an AMI, see Copying an AMI in the Amazon
Elastic Compute Cloud User Guide.

copySnapshot

Copies a point-in-time snapshot of an EBS volume and stores it in Amazon S3. You can copy the snapshot within the
same Region or from one Region to another. You can use the snapshot to create EBS volumes or Amazon Machine
Images (AMIs). The snapshot is copied to the regional endpoint that you send the HTTP request to.

Copies of encrypted EBS snapshots remain encrypted. Copies of unencrypted snapshots remain unencrypted, unless
the Encrypted flag is specified during the snapshot copy operation. By default, encrypted snapshot
copies use the default AWS Key Management Service (AWS KMS) customer master key (CMK); however, you can specify a
non-default CMK with the KmsKeyId parameter.

To copy an encrypted snapshot that has been shared from another account, you must have permissions for the CMK
used to encrypt the snapshot.

Snapshots created by copying another snapshot have an arbitrary volume ID that should not be used for any
purpose.

Capacity Reservations enable you to reserve capacity for your Amazon EC2 instances in a specific Availability
Zone for any duration. This gives you the flexibility to selectively add capacity reservations and still get the
Regional RI discounts for that usage. By creating Capacity Reservations, you ensure that you always have access
to Amazon EC2 capacity when you need it, for as long as you need it. For more information, see Capacity
Reservations in the Amazon Elastic Compute Cloud User Guide.

Your request to create a Capacity Reservation could fail if Amazon EC2 does not have sufficient capacity to
fulfill the request. If your request fails due to Amazon EC2 capacity constraints, either try again at a later
time, try in a different Availability Zone, or request a smaller capacity reservation. If your application is
flexible across instance types and sizes, try to create a Capacity Reservation with different instance
attributes.

Your request could also fail if the requested quantity exceeds your On-Demand Instance limit for the selected
instance type. If your request fails due to limit constraints, increase your On-Demand Instance limit for the
required instance type and try again. For more information about increasing your instance limits, see Amazon EC2 Service Limits
in the Amazon Elastic Compute Cloud User Guide.

createClientVpnEndpoint

Creates a Client VPN endpoint. A Client VPN endpoint is the resource you create and configure to enable and
manage client VPN sessions. It is the destination endpoint at which all client VPN sessions are terminated.

createClientVpnRoute

Adds a route to a network to a Client VPN endpoint. Each Client VPN endpoint has a route table that describes the
available destination network routes. Each route in the route table specifies the path for traﬃc to speciﬁc
resources or networks.

createCustomerGateway

Provides information to AWS about your VPN customer gateway device. The customer gateway is the appliance at your
end of the VPN connection. (The device on the AWS side of the VPN connection is the virtual private gateway.) You
must provide the Internet-routable IP address of the customer gateway's external interface. The IP address must
be static and may be behind a device performing network address translation (NAT).

For devices that use Border Gateway Protocol (BGP), you can also provide the device's BGP Autonomous System
Number (ASN). You can use an existing ASN assigned to your network. If you don't have an ASN already, you can use
a private ASN (in the 64512 - 65534 range).

Amazon EC2 supports all 2-byte ASN numbers in the range of 1 - 65534, with the exception of 7224, which is
reserved in the us-east-1 Region, and 9059, which is reserved in the eu-west-1 Region.

You cannot create more than one customer gateway with the same VPN type, IP address, and BGP ASN parameter
values. If you run an identical request more than one time, the first request creates the customer gateway, and
subsequent requests return information about the existing customer gateway. The subsequent requests do not create
new customer gateway resources.

createDefaultSubnet

Creates a default subnet with a size /20 IPv4 CIDR block in the specified Availability Zone in your
default VPC. You can have only one default subnet per Availability Zone. For more information, see Creating a
Default Subnet in the Amazon Virtual Private Cloud User Guide.

createDefaultVpc

Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet in each Availability
Zone. For more information about the components of a default VPC, see Default VPC and Default
Subnets in the Amazon Virtual Private Cloud User Guide. You cannot specify the components of the
default VPC yourself.

If you deleted your previous default VPC, you can create a default VPC. You cannot have more than one default VPC
per Region.

If your account supports EC2-Classic, you cannot use this action to create a default VPC in a Region that
supports EC2-Classic. If you want a default VPC in a Region that supports EC2-Classic, see
"I really want a default VPC for my existing EC2 account. Is that possible?" in the Default VPCs FAQ.

createDhcpOptions

Creates a set of DHCP options for your VPC. After creating the set, you must associate it with the VPC, causing
all existing and new instances that you launch in the VPC to use this set of DHCP options. The following are the
individual DHCP options you can specify. For more information about the options, see RFC 2132.

domain-name-servers - The IP addresses of up to four domain name servers, or AmazonProvidedDNS. The
default DHCP option set specifies AmazonProvidedDNS. If specifying more than one domain name server, specify the
IP addresses in a single parameter, separated by commas. ITo have your instance to receive a custom DNS hostname
as specified in domain-name, you must set domain-name-servers to a custom DNS server.

domain-name - If you're using AmazonProvidedDNS in us-east-1, specify
ec2.internal. If you're using AmazonProvidedDNS in another Region, specify
region.compute.internal (for example, ap-northeast-1.compute.internal). Otherwise,
specify a domain name (for example, MyCompany.com). This value is used to complete unqualified DNS
hostnames. Important: Some Linux operating systems accept multiple domain names separated by spaces.
However, Windows and other Linux operating systems treat the value as a single domain, which results in
unexpected behavior. If your DHCP options set is associated with a VPC that has instances with multiple operating
systems, specify only one domain name.

ntp-servers - The IP addresses of up to four Network Time Protocol (NTP) servers.

netbios-name-servers - The IP addresses of up to four NetBIOS name servers.

netbios-node-type - The NetBIOS node type (1, 2, 4, or 8). We recommend that you specify 2
(broadcast and multicast are not currently supported). For more information about these node types, see RFC 2132.

Your VPC automatically starts out with a set of DHCP options that includes only a DNS server that we provide
(AmazonProvidedDNS). If you create a set of options, and if your VPC has an internet gateway, make sure to set
the domain-name-servers option either to AmazonProvidedDNS or to a domain name server
of your choice. For more information, see DHCP Options Sets in the
Amazon Virtual Private Cloud User Guide.

createEgressOnlyInternetGateway

[IPv6 only] Creates an egress-only internet gateway for your VPC. An egress-only internet gateway is used to
enable outbound communication over IPv6 from instances in your VPC to the internet, and prevents hosts outside of
your VPC from initiating an IPv6 connection with your instance.

createFlowLogs

Creates one or more flow logs to capture information about IP traffic for a specific network interface, subnet,
or VPC.

Flow log data for a monitored network interface is recorded as flow log records, which are log events consisting
of fields that describe the traffic flow. For more information, see Flow Log
Records in the Amazon Virtual Private Cloud User Guide.

When publishing to CloudWatch Logs, flow log records are published to a log group, and each network interface has
a unique log stream in the log group. When publishing to Amazon S3, flow log records for all of the monitored
network interfaces are published to a single log file object that is stored in the specified bucket.

For more information, see VPC
Flow Logs in the Amazon Virtual Private Cloud User Guide.

createFpgaImage

The create operation is asynchronous. To verify that the AFI is ready for use, check the output logs.

An AFI contains the FPGA bitstream that is ready to download to an FPGA. You can securely deploy an AFI on
multiple FPGA-accelerated instances. For more information, see the AWS
FPGA Hardware Development Kit.

createImage

Creates an Amazon EBS-backed AMI from an Amazon EBS-backed instance that is either running or stopped.

If you customized your instance with instance store volumes or EBS volumes in addition to the root device volume,
the new AMI contains block device mapping information for those volumes. When you launch an instance from this
new AMI, the instance automatically launches with those additional volumes.

createKeyPair

Creates a 2048-bit RSA key pair with the specified name. Amazon EC2 stores the public key and displays the
private key for you to save to a file. The private key is returned as an unencrypted PEM encoded PKCS#1 private
key. If a key with the specified name already exists, Amazon EC2 returns an error.

You can have up to five thousand key pairs per Region.

The key pair returned to you is available only in the Region in which you create it. If you prefer, you can
create your own key pair using a third-party tool and upload it to any Region using ImportKeyPair.

For more information, see Key
Pairs in the Amazon Elastic Compute Cloud User Guide.

createLaunchTemplate

Creates a launch template. A launch template contains the parameters to launch an instance. When you launch an
instance using RunInstances, you can specify a launch template instead of providing the launch parameters
in the request.

createNatGateway

Creates a NAT gateway in the specified public subnet. This action creates a network interface in the specified
subnet with a private IP address from the IP address range of the subnet. Internet-bound traffic from a private
subnet can be routed to the NAT gateway, therefore enabling instances in the private subnet to connect to the
internet. For more information, see NAT Gateways in the
Amazon Virtual Private Cloud User Guide.

createNetworkAclEntry

Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered
ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in
or out of a subnet associated with the ACL, we process the entries in the ACL according to the rule numbers, in
ascending order. Each network ACL has a set of ingress rules and a separate set of egress rules.

We recommend that you leave room between the rule numbers (for example, 100, 110, 120, ...), and not number them
one right after the other (for example, 101, 102, 103, ...). This makes it easier to add a rule between existing
ones without having to renumber the rules.

After you add an entry, you can't modify it; you must either replace it, or create an entry and delete the old
one.

For more information about network ACLs, see Network ACLs in the Amazon
Virtual Private Cloud User Guide.

createPlacementGroup

Creates a placement group in which to launch instances. The strategy of the placement group determines how the
instances are organized within the group.

A cluster placement group is a logical grouping of instances within a single Availability Zone that
benefit from low network latency, high network throughput. A spread placement group places instances
on distinct hardware. A partition placement group places groups of instances in different
partitions, where instances in one partition do not share the same hardware with instances in another partition.

For more information, see Placement Groups in the
Amazon Elastic Compute Cloud User Guide.

createReservedInstancesListing

Creates a listing for Amazon EC2 Standard Reserved Instances to be sold in the Reserved Instance Marketplace. You
can submit one Standard Reserved Instance listing at a time. To get a list of your Standard Reserved Instances,
you can use the DescribeReservedInstances operation.

Only Standard Reserved Instances can be sold in the Reserved Instance Marketplace. Convertible Reserved Instances
cannot be sold.

The Reserved Instance Marketplace matches sellers who want to resell Standard Reserved Instance capacity that
they no longer need with buyers who want to purchase additional capacity. Reserved Instances bought and sold
through the Reserved Instance Marketplace work like any other Reserved Instances.

To sell your Standard Reserved Instances, you must first register as a seller in the Reserved Instance
Marketplace. After completing the registration process, you can create a Reserved Instance Marketplace listing of
some or all of your Standard Reserved Instances, and specify the upfront price to receive for them. Your Standard
Reserved Instance listings then become available for purchase. To view the details of your Standard Reserved
Instance listing, you can use the DescribeReservedInstancesListings operation.

When determining how to route traffic, we use the route with the most specific match. For example, traffic is
destined for the IPv4 address 192.0.2.3, and the route table includes the following two IPv4 routes:

192.0.2.0/24 (goes to some target A)

192.0.2.0/28 (goes to some target B)

Both routes apply to the traffic destined for 192.0.2.3. However, the second route in the list
covers a smaller number of IP addresses and is therefore more specific, so we use that route to determine where
to target the traffic.

For more information about route tables, see Route Tables in the
Amazon Virtual Private Cloud User Guide.

createSecurityGroup

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. For more
information, see Amazon
EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your
VPC in the Amazon Virtual Private Cloud User Guide.

When you create a security group, you specify a friendly name of your choice. You can have a security group for
use in EC2-Classic with the same name as a security group for use in a VPC. However, you can't have two security
groups for use in EC2-Classic with the same name or two security groups for use in a VPC with the same name.

You have a default security group for use in EC2-Classic and a default security group for use in your VPC. If you
don't specify a security group when you launch an instance, the instance is launched into the appropriate default
security group. A default security group includes a default rule that grants instances unrestricted network
access to each other.

createSnapshot

Creates a snapshot of an EBS volume and stores it in Amazon S3. You can use snapshots for backups, to make copies
of EBS volumes, and to save data before shutting down an instance.

When a snapshot is created, any AWS Marketplace product codes that are associated with the source volume are
propagated to the snapshot.

You can take a snapshot of an attached volume that is in use. However, snapshots only capture data that has been
written to your EBS volume at the time the snapshot command is issued; this may exclude any data that has been
cached by any applications or the operating system. If you can pause any file systems on the volume long enough
to take a snapshot, your snapshot should be complete. However, if you cannot pause all file writes to the volume,
you should unmount the volume from within the instance, issue the snapshot command, and then remount the volume
to ensure a consistent and complete snapshot. You may remount and use your volume while the snapshot status is
pending.

To create a snapshot for EBS volumes that serve as root devices, you should stop the instance before taking the
snapshot.

Snapshots that are taken from encrypted volumes are automatically encrypted. Volumes that are created from
encrypted snapshots are also automatically encrypted. Your encrypted volumes and any associated snapshots always
remain protected.

createSpotDatafeedSubscription

Creates a data feed for Spot Instances, enabling you to view Spot Instance usage logs. You can create one data
feed per AWS account. For more information, see Spot Instance Data Feed in
the Amazon EC2 User Guide for Linux Instances.

createSubnet

When you create each subnet, you provide the VPC ID and IPv4 CIDR block for the subnet. After you create a
subnet, you can't change its CIDR block. The size of the subnet's IPv4 CIDR block can be the same as a VPC's IPv4
CIDR block, or a subset of a VPC's IPv4 CIDR block. If you create more than one subnet in a VPC, the subnets'
CIDR blocks must not overlap. The smallest IPv4 subnet (and VPC) you can create uses a /28 netmask (16 IPv4
addresses), and the largest uses a /16 netmask (65,536 IPv4 addresses).

If you've associated an IPv6 CIDR block with your VPC, you can create a subnet with an IPv6 CIDR block that uses
a /64 prefix length.

AWS reserves both the first four and the last IPv4 address in each subnet's CIDR block. They're not available for
use.

If you add more than one subnet to a VPC, they're set up in a star topology with a logical router in the middle.

If you launch an instance in a VPC using an Amazon EBS-backed AMI, the IP address doesn't change if you stop and
restart the instance (unlike a similar instance launched outside a VPC, which gets a new IP address when
restarted). It's therefore possible to have a subnet with no running instances (they're all stopped), but no
remaining IP addresses available.

For more information about subnets, see Your VPC and Subnets in the
Amazon Virtual Private Cloud User Guide.

createTags

Adds or overwrites the specified tags for the specified Amazon EC2 resource or resources. Each resource can have
a maximum of 50 tags. Each tag consists of a key and optional value. Tag keys must be unique per resource.

createTransitGateway

You can use a transit gateway to interconnect your virtual private clouds (VPC) and on-premises networks. After
the transit gateway enters the available state, you can attach your VPCs and VPN connections to the
transit gateway.

When you create a transit gateway, we create a default transit gateway route table and use it as the default
association route table and the default propagation route table. You can use
CreateTransitGatewayRouteTable to create additional transit gateway route tables. If you disable automatic
route propagation, we do not create a default transit gateway route table. You can use
EnableTransitGatewayRouteTablePropagation to propagate routes from a resource attachment to a transit
gateway route table. If you disable automatic associations, you can use AssociateTransitGatewayRouteTable
to associate a resource attachment with a transit gateway route table.

createVolume

Creates an EBS volume that can be attached to an instance in the same Availability Zone. The volume is created in
the regional endpoint that you send the HTTP request to. For more information see Regions and Endpoints.

You can create a new empty volume or restore a volume from an EBS snapshot. Any AWS Marketplace product codes
from the snapshot are propagated to the volume.

You can create encrypted volumes with the Encrypted parameter. Encrypted volumes may only be
attached to instances that support Amazon EBS encryption. Volumes that are created from encrypted snapshots are
also automatically encrypted. For more information, see Amazon EBS Encryption in the
Amazon Elastic Compute Cloud User Guide.

createVpc

Creates a VPC with the specified IPv4 CIDR block. The smallest VPC you can create uses a /28 netmask (16 IPv4
addresses), and the largest uses a /16 netmask (65,536 IPv4 addresses). For more information about how large to
make your VPC, see Your VPC and
Subnets in the Amazon Virtual Private Cloud User Guide.

You can optionally request an Amazon-provided IPv6 CIDR block for the VPC. The IPv6 CIDR block uses a /56 prefix
length, and is allocated from Amazon's pool of IPv6 addresses. You cannot choose the IPv6 range for your VPC.

By default, each instance you launch in the VPC has the default DHCP options, which include only a default DNS
server that we provide (AmazonProvidedDNS). For more information, see DHCP Options Sets in the
Amazon Virtual Private Cloud User Guide.

You can specify the instance tenancy value for the VPC when you create it. You can't change this value for the
VPC after you create it. For more information, see Dedicated Instances in the
Amazon Elastic Compute Cloud User Guide.

createVpcEndpoint

Creates a VPC endpoint for a specified service. An endpoint enables you to create a private connection between
your VPC and the service. The service may be provided by AWS, an AWS Marketplace partner, or another AWS account.
For more information, see VPC
Endpoints in the Amazon Virtual Private Cloud User Guide.

A gateway endpoint serves as a target for a route in your route table for traffic destined for the
AWS service. You can specify an endpoint policy to attach to the endpoint that will control access to the service
from your VPC. You can also specify the VPC route tables that use the endpoint.

An interface endpoint is a network interface in your subnet that serves as an endpoint for
communicating with the specified service. You can specify the subnets in which to create an endpoint, and the
security groups to associate with the endpoint network interface.

createVpcEndpointConnectionNotification

Creates a connection notification for a specified VPC endpoint or VPC endpoint service. A connection notification
notifies you of specific endpoint events. You must create an SNS topic to receive notifications. For more
information, see Create a Topic in the
Amazon Simple Notification Service Developer Guide.

You can create a connection notification for interface endpoints only.

createVpcEndpointServiceConfiguration

Creates a VPC endpoint service configuration to which service consumers (AWS accounts, IAM users, and IAM roles)
can connect. Service consumers can create an interface VPC endpoint to connect to your service.

To create an endpoint service configuration, you must first create a Network Load Balancer for your service. For
more information, see VPC
Endpoint Services in the Amazon Virtual Private Cloud User Guide.

createVpcPeeringConnection

Requests a VPC peering connection between two VPCs: a requester VPC that you own and an accepter VPC with which
to create the connection. The accepter VPC can belong to another AWS account and can be in a different Region to
the requester VPC. The requester VPC and accepter VPC cannot have overlapping CIDR blocks.

Limitations and rules apply to a VPC peering connection. For more information, see the limitations section in the VPC Peering Guide.

The owner of the accepter VPC must accept the peering request to activate the peering connection. The VPC peering
connection request expires after 7 days, after which it cannot be accepted or rejected.

If you create a VPC peering connection request between VPCs with overlapping CIDR blocks, the VPC peering
connection has a status of failed.

createVpnConnectionRoute

Creates a static route associated with a VPN connection between an existing virtual private gateway and a VPN
customer gateway. The static route allows traffic to be routed from the virtual private gateway to the VPN
customer gateway.

deleteClientVpnRoute

Deletes a route from a Client VPN endpoint. You can only delete routes that you manually added using the
CreateClientVpnRoute action. You cannot delete routes that were automatically added when associating a
subnet. To remove routes that have been automatically added, disassociate the target subnet from the Client VPN
endpoint.

deleteDhcpOptions

Deletes the specified set of DHCP options. You must disassociate the set of DHCP options before you can delete
it. You can disassociate the set of DHCP options by associating either a new set of options or the default set of
options with the VPC.

deleteFleets

After you delete an EC2 Fleet, it launches no new instances. You must specify whether an EC2 Fleet should also
terminate its instances. If you terminate the instances, the EC2 Fleet enters the
deleted_terminating state. Otherwise, the EC2 Fleet enters the deleted_running state,
and the instances continue to run until they are interrupted or you terminate them manually.

deleteLaunchTemplateVersions

Deletes one or more versions of a launch template. You cannot delete the default version of a launch template;
you must first assign a different version as the default. If the default version is the only version for the
launch template, you must delete the entire launch template using DeleteLaunchTemplate.

deleteNatGateway

Deletes the specified NAT gateway. Deleting a NAT gateway disassociates its Elastic IP address, but does not
release the address from your account. Deleting a NAT gateway does not delete any NAT gateway routes in your
route tables.

deleteNetworkInterfacePermission

Deletes a permission for a network interface. By default, you cannot delete the permission if the account for
which you're removing the permission has attached the network interface to an instance. However, you can force
delete the permission, regardless of any attachment.

deletePlacementGroup

Deletes the specified placement group. You must terminate all instances in the placement group before you can
delete the placement group. For more information, see Placement Groups in the
Amazon Elastic Compute Cloud User Guide.

deleteSecurityGroup

If you attempt to delete a security group that is associated with an instance, or is referenced by another
security group, the operation fails with InvalidGroup.InUse in EC2-Classic or
DependencyViolation in EC2-VPC.

deleteSnapshot

When you make periodic snapshots of a volume, the snapshots are incremental, and only the blocks on the device
that have changed since your last snapshot are saved in the new snapshot. When you delete a snapshot, only the
data not needed for any other snapshot is removed. So regardless of which prior snapshots have been deleted, all
active snapshots will have access to all the information needed to restore the volume.

You cannot delete a snapshot of the root device of an EBS volume used by a registered AMI. You must first
de-register the AMI before you can delete the snapshot.

deleteVpc

Deletes the specified VPC. You must detach or delete all gateways and resources that are associated with the VPC
before you can delete it. For example, you must terminate all instances running in the VPC, delete all security
groups associated with the VPC (except the default one), delete all route tables associated with the VPC (except
the default one), and so on.

deleteVpcEndpointServiceConfigurations

Deletes one or more VPC endpoint service configurations in your account. Before you delete the endpoint service
configuration, you must reject any Available or PendingAcceptance interface endpoint
connections that are attached to the service.

deleteVpcEndpoints

Deletes one or more specified VPC endpoints. Deleting a gateway endpoint also deletes the endpoint routes in the
route tables that were associated with the endpoint. Deleting an interface endpoint deletes the endpoint network
interfaces.

deleteVpcPeeringConnection

Deletes a VPC peering connection. Either the owner of the requester VPC or the owner of the accepter VPC can
delete the VPC peering connection if it's in the active state. The owner of the requester VPC can
delete a VPC peering connection in the pending-acceptance state. You cannot delete a VPC peering
connection that's in the failed state.

deleteVpnConnection

If you're deleting the VPC and its associated components, we recommend that you detach the virtual private
gateway from the VPC and delete the VPC before deleting the VPN connection. If you believe that the tunnel
credentials for your VPN connection have been compromised, you can delete the VPN connection and create a new one
that has new keys, without needing to delete the VPC or virtual private gateway. If you create a new VPN
connection, you must reconfigure the customer gateway using the new configuration information returned with the
new VPN connection ID.

deleteVpnConnectionRoute

Deletes the specified static route associated with a VPN connection between an existing virtual private gateway
and a VPN customer gateway. The static route allows traffic to be routed from the virtual private gateway to the
VPN customer gateway.

deleteVpnGateway

Deletes the specified virtual private gateway. We recommend that before you delete a virtual private gateway, you
detach it from the VPC and delete the VPN connection. Note that you don't need to delete the virtual private
gateway if you plan to delete and recreate the VPN connection between your VPC and your network.

deregisterImage

Deregisters the specified AMI. After you deregister an AMI, it can't be used to launch new instances; however, it
doesn't affect any instances that you've already launched from the AMI. You'll continue to incur usage costs for
those instances until you terminate them.

When you deregister an Amazon EBS-backed AMI, it doesn't affect the snapshot that was created for the root volume
of the instance during the AMI creation process. When you deregister an instance store-backed AMI, it doesn't
affect the files that you uploaded to Amazon S3 when you created the AMI.

describeAggregateIdFormat

Describes the longer ID format settings for all resource types in a specific Region. This request is useful for
performing a quick audit to determine whether a specific Region is fully opted in for longer IDs (17-character
IDs).

This request only returns information about resource types that support longer IDs.

describeAvailabilityZones

Describes the Availability Zones that are available to you. The results include zones only for the Region you're
currently using. If there is an event impacting an Availability Zone, you can use this request to view the state
and any provided message for that Availability Zone.

describeBundleTasks

Completed bundle tasks are listed for only a limited time. If your bundle task is no longer in the list, you can
still register an AMI from it. Just use RegisterImage with the Amazon S3 bucket name and image
manifest name you provided to the bundle task.

describeClassicLinkInstances

Describes one or more of your linked EC2-Classic instances. This request only returns information about
EC2-Classic instances linked to a VPC through ClassicLink. You cannot use this request to return information
about other instances.

describeHostReservationOfferings

Describes the Dedicated Host reservations that are available to purchase.

The results describe all the Dedicated Host reservation offerings, including offerings that may not match the
instance family and Region of your Dedicated Hosts. When purchasing an offering, ensure that the instance family
and Region of the offering matches that of the Dedicated Hosts with which it is to be associated. For more
information about supported instance types, see Dedicated Hosts
Overview in the Amazon Elastic Compute Cloud User Guide.

describeHosts

The results describe only the Dedicated Hosts in the Region you're currently using. All listed instances consume
capacity on your Dedicated Host. Dedicated Hosts that have recently been released are listed with the state
released.

describeIdFormat

Describes the ID format settings for your resources on a per-Region basis, for example, to view which resource
types are enabled for longer IDs. This request only returns information about resource types whose ID formats can
be modified; it does not return information about other resource types.

These settings apply to the IAM user who makes the request; they do not apply to the entire AWS account. By
default, an IAM user defaults to the same settings as the root user, unless they explicitly override the settings
by running the ModifyIdFormat command. Resources created with longer IDs are visible to all IAM users,
regardless of these settings and provided that they have permission to use the relevant Describe
command for the resource type.

describeIdentityIdFormat

Describes the ID format settings for resources for the specified IAM user, IAM role, or root user. For example,
you can view the resource types that are enabled for longer IDs. This request only returns information about
resource types whose ID formats can be modified; it does not return information about other resource types. For
more information, see Resource
IDs in the Amazon Elastic Compute Cloud User Guide.

describeImages

Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.

The images available to you include public images, private images that you own, and private images owned by other
AWS accounts for which you have explicit launch permissions.

Recently deregistered images appear in the returned results for a short interval and then return empty results.
After all instances that reference a deregistered AMI are terminated, specifying the ID of the image results in
an error indicating that the AMI ID cannot be found.

describeInstanceCreditSpecifications

Describes the credit option for CPU usage of the specified T2 or T3 instances. The credit options are
standard and unlimited.

If you do not specify an instance ID, Amazon EC2 returns T2 and T3 instances with the unlimited
credit option, as well as instances that were previously configured as T2 or T3 with the unlimited
credit option. For example, if you resize a T2 instance, while it is configured as unlimited, to an
M4 instance, Amazon EC2 returns the M4 instance.

If you specify one or more instance IDs, Amazon EC2 returns the credit option (standard or
unlimited) of those instances. If you specify an instance ID that is not valid, such as an instance
that is not a T2 or T3 instance, an error is returned.

Recently terminated instances might appear in the returned results. This interval is usually less than one hour.

If an Availability Zone is experiencing a service disruption and you specify instance IDs in the affected zone,
or do not specify any instance IDs at all, the call fails. If you specify only instance IDs in an unaffected
zone, the call works normally.

describeInstances

If you specify one or more instance IDs, Amazon EC2 returns information for those instances. If you do not
specify instance IDs, Amazon EC2 returns information for all relevant instances. If you specify an instance ID
that is not valid, an error is returned. If you specify an instance that you do not own, it is not included in
the returned results.

Recently terminated instances might appear in the returned results. This interval is usually less than one hour.

If you describe instances in the rare case where an Availability Zone is experiencing a service disruption and
you specify instance IDs that are in the affected zone, or do not specify any instance IDs at all, the call
fails. If you describe instances and specify only instance IDs that are in an unaffected zone, the call works
normally.

describeMovingAddresses

Describes your Elastic IP addresses that are being moved to the EC2-VPC platform, or that are being restored to
the EC2-Classic platform. This request does not return information about any other Elastic IP addresses in your
account.

describePrefixLists

Describes available AWS services in a prefix list format, which includes the prefix list name and prefix list ID
of the service and the IP address range for the service. A prefix list ID is required for creating an outbound
security group rule that allows traffic from a VPC to access an AWS service through a gateway VPC endpoint.
Currently, the services that support this action are Amazon S3 and Amazon DynamoDB.

describePrincipalIdFormat

Describes the ID format settings for the root user and all IAM roles and IAM users that have explicitly specified
a longer ID (17-character ID) preference.

By default, all IAM roles and IAM users default to the same ID settings as the root user, unless they explicitly
override the settings. This request is useful for identifying those IAM users and IAM roles that have overridden
the default ID settings.

describeRegions

Describes the Regions that are currently available to you. The API returns a list of all the Regions, including
Regions that are disabled for your account. For information about enabling Regions for your account, see Enabling and Disabling Regions in the AWS Billing and Cost Management User Guide.

The Reserved Instance Marketplace matches sellers who want to resell Reserved Instance capacity that they no
longer need with buyers who want to purchase additional capacity. Reserved Instances bought and sold through the
Reserved Instance Marketplace work like any other Reserved Instances.

As a seller, you choose to list some or all of your Reserved Instances, and you specify the upfront price to
receive for them. Your Reserved Instances are then listed in the Reserved Instance Marketplace and are available
for purchase.

As a buyer, you specify the configuration of the Reserved Instance to purchase, and the Marketplace matches what
you're searching for with what's available. The Marketplace first sells the lowest priced Reserved Instances to
you, and continues to sell available Reserved Instance listings to you until your demand is met. You are charged
based on the total price of all of the listings that you purchase.

describeReservedInstancesModifications

Describes the modifications made to your Reserved Instances. If no parameter is specified, information about all
your Reserved Instances modification requests is returned. If a modification ID is specified, only information
about the specific modification is returned.

describeReservedInstancesOfferings

Describes Reserved Instance offerings that are available for purchase. With Reserved Instances, you purchase the
right to launch instances for a period of time. During that time period, you do not receive insufficient capacity
errors, and you pay a lower usage rate than the rate charged for On-Demand instances for the actual time used.

If you have listed your own Reserved Instances for sale in the Reserved Instance Marketplace, they will be
excluded from these results. This is to ensure that you do not purchase your own Reserved Instances.

describeRouteTables

Each subnet in your VPC must be associated with a route table. If a subnet is not explicitly associated with any
route table, it is implicitly associated with the main route table. This command does not return the subnet ID
for implicit associations.

For more information, see Route Tables in the
Amazon Virtual Private Cloud User Guide.

You can search for an available schedule no more than 3 months in advance. You must meet the minimum required
duration of 1,200 hours per year. For example, the minimum daily schedule is 4 hours, the minimum weekly schedule
is 24 hours, and the minimum monthly schedule is 100 hours.

After you find a schedule that meets your needs, call PurchaseScheduledInstances to purchase Scheduled
Instances with that schedule.

describeSecurityGroups

Describes the specified security groups or all of your security groups.

A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more
information, see Amazon
EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your
VPC in the Amazon Virtual Private Cloud User Guide.

describeSnapshots

Describes the specified EBS snapshots available to you or all of the EBS snapshots available to you.

The snapshots available to you include public snapshots, private snapshots that you own, and private snapshots
owned by other AWS accounts for which you have explicit create volume permissions.

The create volume permissions fall into the following categories:

public: The owner of the snapshot granted create volume permissions for the snapshot to the
all group. All AWS accounts have create volume permissions for these snapshots.

explicit: The owner of the snapshot granted create volume permissions to a specific AWS account.

implicit: An AWS account has implicit create volume permissions for all snapshots it owns.

The list of snapshots returned can be modified by specifying snapshot IDs, snapshot owners, or AWS accounts with
create volume permissions. If no options are specified, Amazon EC2 returns all snapshots for which you have
create volume permissions.

If you specify one or more snapshot IDs, only snapshots that have the specified IDs are returned. If you specify
an invalid snapshot ID, an error is returned. If you specify a snapshot ID for which you do not have access, it
is not included in the returned results.

If you specify one or more snapshot owners using the OwnerIds option, only snapshots from the
specified owners and for which you have access are returned. The results can include the AWS account IDs of the
specified owners, amazon for snapshots owned by Amazon, or self for snapshots that you
own.

If you specify a list of restorable users, only snapshots with create snapshot permissions for those users are
returned. You can specify AWS account IDs (if you own the snapshots), self for snapshots for which
you own or have explicit permissions, or all for public snapshots.

If you are describing a long list of snapshots, you can paginate the output to make the list more manageable. The
MaxResults parameter sets the maximum number of results returned in a single page. If the list of
results exceeds your MaxResults value, then that number of results is returned along with a
NextToken value that can be passed to a subsequent DescribeSnapshots request to
retrieve the remaining results.

For more information about EBS snapshots, see Amazon EBS Snapshots in the
Amazon Elastic Compute Cloud User Guide.

describeSpotFleetRequestHistory

Describes the events for the specified Spot Fleet request during the specified time.

Spot Fleet events are delayed by up to 30 seconds before they can be described. This ensures that you can query
by the last evaluated time and not miss a recorded event. Spot Fleet events are available for 48 hours.

You can use DescribeSpotInstanceRequests to find a running Spot Instance by examining the response.
If the status of the Spot Instance is fulfilled, the instance ID appears in the response and
contains the identifier of the instance. Alternatively, you can use DescribeInstances with a filter to
look for instances where the instance lifecycle is spot.

We recommend that you set MaxResults to a value between 5 and 1000 to limit the number of results
returned. This paginates the output, which makes the list more manageable and returns the results faster. If the
list of results exceeds your MaxResults value, then that number of results is returned along with a
NextToken value that can be passed to a subsequent DescribeSpotInstanceRequests request
to retrieve the remaining results.

Spot Instance requests are deleted four hours after they are canceled and their instances are terminated.

When you specify a start and end time, this operation returns the prices of the instance types within the time
range that you specified and the time when the price changed. The price is valid within the time period that you
specified; the response merely indicates the last time that the price changed.

describeStaleSecurityGroups

[VPC only] Describes the stale security group rules for security groups in a specified VPC. Rules are stale when
they reference a deleted security group in a peer VPC, or a security group in a peer VPC for which the VPC
peering connection has been deleted.

describeTransitGatewayAttachments

Describes one or more attachments between resources and transit gateways. By default, all attachments are
described. Alternatively, you can filter the results by attachment ID, attachment state, resource ID, or resource
owner.

describeVolumeStatus

Describes the status of the specified volumes. Volume status provides the result of the checks performed on your
volumes to determine events that can impair the performance of your volumes. The performance of a volume can be
affected if an issue occurs on the volume's underlying host. If the volume's underlying host experiences a power
outage or system issue, after the system is restored, there could be data inconsistencies on the volume. Volume
events notify you if this occurs. Volume actions notify you if any action needs to be taken in response to the
event.

The DescribeVolumeStatus operation provides the following information about the specified volumes:

Status: Reflects the current status of the volume. The possible values are ok,
impaired , warning, or insufficient-data. If all checks pass, the overall
status of the volume is ok. If the check fails, the overall status is impaired. If the
status is insufficient-data, then the checks may still be taking place on your volume at the time.
We recommend that you retry the request. For more information about volume status, see Monitoring the Status of
Your Volumes in the Amazon Elastic Compute Cloud User Guide.

Events: Reflect the cause of a volume status and may require you to take action. For example, if your
volume returns an impaired status, then the volume event might be
potential-data-inconsistency. This means that your volume has been affected by an issue with the
underlying host, has all I/O operations disabled, and may have inconsistent data.

Actions: Reflect the actions you may have to take in response to an event. For example, if the status of
the volume is impaired and the volume event shows potential-data-inconsistency, then
the action shows enable-volume-io. This means that you may want to enable the I/O operations for the
volume by calling the EnableVolumeIO action and then check the volume for data consistency.

Volume status is based on the volume status checks, and does not reflect the volume state. Therefore, volume
status does not indicate volumes in the error state (for example, when a volume is incapable of
accepting I/O.)

describeVolumes

If you are describing a long list of volumes, you can paginate the output to make the list more manageable. The
MaxResults parameter sets the maximum number of results returned in a single page. If the list of
results exceeds your MaxResults value, then that number of results is returned along with a
NextToken value that can be passed to a subsequent DescribeVolumes request to retrieve
the remaining results.

For more information about EBS volumes, see Amazon EBS Volumes in the
Amazon Elastic Compute Cloud User Guide.

Current-generation EBS volumes support modification of attributes including type, size, and (for io1
volumes) IOPS provisioning while either attached to or detached from an instance. Following an action from the
API or the console to modify a volume, the status of the modification may be modifying,
optimizing, completed, or failed. If a volume has never been modified,
then certain elements of the returned VolumeModification objects are null.

describeVpcClassicLinkDnsSupport

Describes the ClassicLink DNS support status of one or more VPCs. If enabled, the DNS hostname of a linked
EC2-Classic instance resolves to its private IP address when addressed from an instance in the VPC to which it's
linked. Similarly, the DNS hostname of an instance in a VPC resolves to its private IP address when addressed
from a linked EC2-Classic instance. For more information, see ClassicLink in the Amazon
Elastic Compute Cloud User Guide.

detachClassicLinkVpc

Unlinks (detaches) a linked EC2-Classic instance from a VPC. After the instance has been unlinked, the VPC
security groups are no longer associated with it. An instance is automatically unlinked from a VPC when it's
stopped.

detachVolume

Detaches an EBS volume from an instance. Make sure to unmount any file systems on the device within your
operating system before detaching the volume. Failure to do so can result in the volume becoming stuck in the
busy state while detaching. If this happens, detachment can be delayed indefinitely until you
unmount the volume, force detachment, reboot the instance, or all three. If an EBS volume is the root device of
an instance, it can't be detached while the instance is running. To detach the root volume, stop the instance
first.

When a volume with an AWS Marketplace product code is detached from an instance, the product code is no longer
associated with the instance.

detachVpnGateway

Detaches a virtual private gateway from a VPC. You do this if you're planning to turn off the VPC and not use it
anymore. You can confirm a virtual private gateway has been completely detached from a VPC by describing the
virtual private gateway (any attachments to the virtual private gateway are also described).

You must wait for the attachment's state to switch to detached before you can delete the VPC or
attach a different VPC to the virtual private gateway.

disableEbsEncryptionByDefault

Disables default encryption for EBS volumes that are created in your account in the current region.

Call this API if you have enabled default encryption using EnableEbsEncryptionByDefault and want to
disable default EBS encryption. Once default EBS encryption is disabled, you can still create an encrypted volume
by setting encrypted to true in the API call that creates the volume.

Disabling default EBS encryption will not change the encryption status of any of your existing volumes.

disableVpcClassicLinkDnsSupport

Disables ClassicLink DNS support for a VPC. If disabled, DNS hostnames resolve to public IP addresses when
addressed between a linked EC2-Classic instance and instances in the VPC to which it's linked. For more
information, see ClassicLink in the Amazon
Elastic Compute Cloud User Guide.

disassociateRouteTable

After you perform this action, the subnet no longer uses the routes in the route table. Instead, it uses the
routes in the VPC's main route table. For more information about route tables, see Route Tables in the
Amazon Virtual Private Cloud User Guide.

disassociateSubnetCidrBlock

Disassociates a CIDR block from a subnet. Currently, you can disassociate an IPv6 CIDR block only. You must
detach or delete all gateways and resources that are associated with the CIDR block before you can disassociate
it.

disassociateVpcCidrBlock

Disassociates a CIDR block from a VPC. To disassociate the CIDR block, you must specify its association ID. You
can get the association ID by using DescribeVpcs. You must detach or delete all gateways and resources
that are associated with the CIDR block before you can disassociate it.

You cannot disassociate the CIDR block with which you originally created the VPC (the primary CIDR block).

enableEbsEncryptionByDefault

Enables default encryption for EBS volumes that are created in your account in the current region.

Once encryption is enabled with this action, EBS volumes that are created in your account will always be
encrypted even if encryption is not specified at launch. This setting overrides the encrypted setting to
true in all API calls that create EBS volumes in your account. A volume will be encrypted even if you
specify encryption to be false in the API call that creates the volume.

If you do not specify a customer master key (CMK) in the API call that creates the EBS volume, then the volume is
encrypted to your AWS account's default CMK.

Enabling default encryption for EBS volumes has no effect on existing unencrypted volumes in your account.
Encrypting the data in these requires manual action. You can either create an encrypted snapshot of an
unencrypted volume, or encrypt a copy of an unencrypted snapshot. Any volume restored from an encrypted snapshot
is also encrypted. For more information, see Amazon EBS Snapshots.

Once EBS encryption by default is enabled, you can no longer launch older-generation instance types that do not
support encryption. For more information, see Supported Instance Types.

enableVpcClassicLink

Enables a VPC for ClassicLink. You can then link EC2-Classic instances to your ClassicLink-enabled VPC to allow
communication over private IP addresses. You cannot enable your VPC for ClassicLink if any of your VPC route
tables have existing routes for address ranges within the 10.0.0.0/8 IP address range, excluding
local routes for VPCs in the 10.0.0.0/16 and 10.1.0.0/16 IP address ranges. For more
information, see ClassicLink in the Amazon
Elastic Compute Cloud User Guide.

enableVpcClassicLinkDnsSupport

Enables a VPC to support DNS hostname resolution for ClassicLink. If enabled, the DNS hostname of a linked
EC2-Classic instance resolves to its private IP address when addressed from an instance in the VPC to which it's
linked. Similarly, the DNS hostname of an instance in a VPC resolves to its private IP address when addressed
from a linked EC2-Classic instance. For more information, see ClassicLink in the Amazon
Elastic Compute Cloud User Guide.

getConsoleOutput

Gets the console output for the specified instance. For Linux instances, the instance console output displays the
exact console output that would normally be displayed on a physical monitor attached to a computer. For Windows
instances, the instance console output includes the last three system event log errors.

By default, the console output returns buffered information that was posted shortly after an instance transition
state (start, stop, reboot, or terminate). This information is available for at least one hour after the most
recent post. Only the most recent 64 KB of console output is available.

You can optionally retrieve the latest serial console output at any time during the instance lifecycle. This
option is supported on instance types that use the Nitro hypervisor.

getPasswordData

Retrieves the encrypted administrator password for a running Windows instance.

The Windows password is generated at boot by the EC2Config service or EC2Launch scripts
(Windows Server 2016 and later). This usually only happens the first time an instance is launched. For more
information, see EC2Config and EC2Launch in the Amazon Elastic
Compute Cloud User Guide.

For the EC2Config service, the password is not generated for rebundled AMIs unless
Ec2SetPassword is enabled before bundling.

The password is encrypted using the key pair that you specified when you launched the instance. You must provide
the corresponding key pair file.

When you launch an instance, password generation and encryption may take a few minutes. If you try to retrieve
the password before it's available, the output returns an empty string. We recommend that you wait up to 15
minutes after launching an instance before trying to retrieve the generated password.

getReservedInstancesExchangeQuote

Returns a quote and exchange information for exchanging one or more specified Convertible Reserved Instances for
a new Convertible Reserved Instance. If the exchange cannot be performed, the reason is returned in the response.
Use AcceptReservedInstancesExchangeQuote to perform the exchange.

importKeyPair

Imports the public key from an RSA key pair that you created with a third-party tool. Compare this with
CreateKeyPair, in which AWS creates the key pair and gives the keys to you (AWS keeps a copy of the public
key). With ImportKeyPair, you create the key pair and give AWS just the public key. The private key is never
transferred between you and AWS.

For more information about key pairs, see Key Pairs in the Amazon
Elastic Compute Cloud User Guide.

modifyCapacityReservation

Modifies a Capacity Reservation's capacity and the conditions under which it is to be released. You cannot change
a Capacity Reservation's instance type, EBS optimization, instance store settings, platform, Availability Zone,
or instance eligibility. If you need to modify any of these attributes, we recommend that you cancel the Capacity
Reservation, and then create a new one with the required attributes.

modifyEbsDefaultKmsKeyId

Changes the default customer master key (CMK) that your account uses to encrypt EBS volumes if you don’t specify
a CMK in the API call.

Your account has an AWS-managed default CMK that is used for encrypting an EBS volume when no CMK is specified in
the API call that creates the volume. By calling this API, you can specify a customer-managed CMK to use in place
of the AWS-managed default CMK.

Note: Deleting or disabling the custom CMK that you have specified to act as your default CMK will result in
instance-launch failures.

modifyHosts

Modify the auto-placement setting of a Dedicated Host. When auto-placement is enabled, any instances that you
launch with a tenancy of host but without a specific host ID are placed onto any available Dedicated
Host in your account that has auto-placement enabled. When auto-placement is disabled, you need to provide a host
ID to have the instance launch onto a specific host. If no host ID is provided, the instance is launched onto a
suitable host with auto-placement enabled.

This setting applies to the IAM user who makes the request; it does not apply to the entire AWS account. By
default, an IAM user defaults to the same settings as the root user. If you're using this action as the root
user, then these settings apply to the entire account, unless an IAM user explicitly overrides these settings for
themselves. For more information, see Resource IDs in the Amazon
Elastic Compute Cloud User Guide.

Resources created with longer IDs are visible to all IAM roles and users, regardless of these settings and
provided that they have permission to use the relevant Describe command for the resource type.

modifyIdentityIdFormat

Modifies the ID format of a resource for a specified IAM user, IAM role, or the root user for an account; or all
IAM users, IAM roles, and the root user for an account. You can specify that resources should receive longer IDs
(17-character IDs) when they are created.

For more information, see Resource IDs in the Amazon
Elastic Compute Cloud User Guide.

This setting applies to the principal specified in the request; it does not apply to the principal that makes the
request.

Resources created with longer IDs are visible to all IAM roles and users, regardless of these settings and
provided that they have permission to use the relevant Describe command for the resource type.

modifyImageAttribute

Modifies the specified attribute of the specified AMI. You can specify only one attribute at a time. You can use
the Attribute parameter to specify the attribute or one of the following parameters:
Description, LaunchPermission, or ProductCode.

modifyInstanceAttribute

Modifies the specified attribute of the specified instance. You can specify only one attribute at a time.

Note: Using this action to change the security groups associated with an elastic network interface (ENI)
attached to an instance in a VPC can result in an error if the instance has more than one ENI. To change the
security groups associated with an ENI attached to an instance that has multiple ENIs, we recommend that you use
the ModifyNetworkInterfaceAttribute action.

Modifies the Capacity Reservation settings for a stopped instance. Use this action to configure an instance to
target a specific Capacity Reservation, run in any open Capacity Reservation with matching
attributes, or run On-Demand Instance capacity.

modifyInstancePlacement

Modifies the placement attributes for a specified instance. You can do the following:

Modify the affinity between an instance and a Dedicated Host. When
affinity is set to host and the instance is not associated with a specific Dedicated Host, the next
time the instance is launched, it is automatically associated with the host on which it lands. If the instance is
restarted or rebooted, this relationship persists.

Change the Dedicated Host with which an instance is associated.

Change the instance tenancy of an instance from host to dedicated, or from
dedicated to host.

modifyLaunchTemplate

Modifies a launch template. You can specify which version of the launch template to set as the default version.
When launching an instance, the default version applies when a launch template version is not specified.

modifySnapshotAttribute

Adds or removes permission settings for the specified snapshot. You may add or remove specified AWS account IDs
from a snapshot's list of create volume permissions, but you cannot do both in a single API call. If you need to
both add and remove account IDs for a snapshot, you must use multiple API calls.

Encrypted snapshots and snapshots with AWS Marketplace product codes cannot be made public. Snapshots encrypted
with your default CMK cannot be shared with other accounts.

For more information about modifying snapshot permissions, see Sharing
Snapshots in the Amazon Elastic Compute Cloud User Guide.

While the Spot Fleet request is being modified, it is in the modifying state.

To scale up your Spot Fleet, increase its target capacity. The Spot Fleet launches the additional Spot Instances
according to the allocation strategy for the Spot Fleet request. If the allocation strategy is
lowestPrice, the Spot Fleet launches instances using the Spot pool with the lowest price. If the
allocation strategy is diversified, the Spot Fleet distributes the instances across the Spot pools.

To scale down your Spot Fleet, decrease its target capacity. First, the Spot Fleet cancels any open requests that
exceed the new target capacity. You can request that the Spot Fleet terminate Spot Instances until the size of
the fleet no longer exceeds the new target capacity. If the allocation strategy is lowestPrice, the
Spot Fleet terminates the instances with the highest price per unit. If the allocation strategy is
diversified, the Spot Fleet terminates instances across the Spot pools. Alternatively, you can
request that the Spot Fleet keep the fleet at its current size, but not replace any Spot Instances that are
interrupted or that you terminate manually.

If you are finished with your Spot Fleet for now, but will use it again later, you can set the target capacity to
0.

When you complete a resize operation on your volume, you need to extend the volume's file-system size to take
advantage of the new storage capacity. For information about extending a Linux file system, see Extending a Linux File System. For information about extending a Windows file system, see Extending a Windows File System.

modifyVolumeAttribute

By default, all I/O operations for the volume are suspended when the data on the volume is determined to be
potentially inconsistent, to prevent undetectable, latent data corruption. The I/O access to the volume can be
resumed by first enabling I/O access and then checking the data consistency on your volume.

You can change the default behavior to resume I/O operations. We recommend that you change this only for boot
volumes or for volumes that are stateless or disposable.

modifyVpcEndpoint

Modifies attributes of a specified VPC endpoint. The attributes that you can modify depend on the type of VPC
endpoint (interface or gateway). For more information, see VPC Endpoints in the
Amazon Virtual Private Cloud User Guide.

modifyVpcEndpointServiceConfiguration

Modifies the attributes of your VPC endpoint service configuration. You can change the Network Load Balancers for
your service, and you can specify whether acceptance is required for requests to connect to your endpoint service
through an interface VPC endpoint.

modifyVpcEndpointServicePermissions

Modifies the permissions for your VPC endpoint service. You
can add or remove permissions for service consumers (IAM users, IAM roles, and AWS accounts) to connect to your
endpoint service.

If you grant permissions to all principals, the service is public. Any users who know the name of a public
service can send a request to attach an endpoint. If the service does not require manual approval, attachments
are automatically approved.

modifyVpcPeeringConnectionOptions

Modifies the VPC peering connection options on one side of a VPC peering connection. You can do the following:

Enable/disable communication over the peering connection between an EC2-Classic instance that's linked to your
VPC (using ClassicLink) and instances in the peer VPC.

Enable/disable communication over the peering connection between instances in your VPC and an EC2-Classic
instance that's linked to the peer VPC.

Enable/disable the ability to resolve public DNS hostnames to private IP addresses when queried from instances in
the peer VPC.

If the peered VPCs are in the same AWS account, you can enable DNS resolution for queries from the local VPC.
This ensures that queries from the local VPC resolve to private IP addresses in the peer VPC. This option is not
available if the peered VPCs are in different AWS accounts or different Regions. For peered VPCs in different AWS
accounts, each AWS account owner must initiate a separate request to modify the peering connection options. For
inter-region peering connections, you must use the Region for the requester VPC to modify the requester VPC
peering options and the Region for the accepter VPC to modify the accepter VPC peering options. To verify which
VPCs are the accepter and the requester for a VPC peering connection, use the
DescribeVpcPeeringConnections command.

modifyVpcTenancy

Modifies the instance tenancy attribute of the specified VPC. You can change the instance tenancy attribute of a
VPC to default only. You cannot change the instance tenancy attribute to dedicated.

After you modify the tenancy of the VPC, any new instances that you launch into the VPC have a tenancy of
default, unless you specify otherwise during launch. The tenancy of any existing instances in the
VPC is not affected.